Ryan Witt is a true believer. As managing director of healthcare for Proofpoint, he believes deeply in the connection between providing patient care and cybersecurity. Of course, recent events have borne him out, as cyberattacks have forced health systems to return to paper for weeks, and even necessitated the diversion of patients elsewhere. Witt says he’s shocked on occasion to see some health systems not utilizing all the best practices out there. In this Partner Perspective Interview, he also notes how most cyberattacks are happening, and later identifies some new, extremely promising technologies, all as part of his effort to spread the gospel of cyber-preparedness.
“But when it really gets to the point where you can’t provide patient care because there wasn’t enough cyber defenses in place and people who are mid-chemo treatment or something like that get denied service or have to go somewhere else, I find that I do get a little bit frustrated about that, and I would like to see the industry be more overt in trying to make progress there.”
“The work has been done to show you how to block and tackle, if you want to continue that analogy, but at some point we have to start actually executing on the mission. There are a number of surveys that have come out that show the level of capabilities which have been installed or implemented in healthcare and it’s shocking.”
“ … it feels like those institutions who have richness of budget have an IT team or a CISO who do a really, really good job of articulating the importance of the cybersecurity mission as it connects to the overall hospital mission.”
Anthony: Welcome to healthsystemCIO’s Partner Perspective interview series. I’m Anthony Guerra, founder and editor-in-chief. Today, we’re talking with Ryan Witt, managing director of healthcare for Proofpoint. Ryan, thanks for joining me today.
Ryan: It’s great to be here.
Anthony: Very good. Can you start by telling me a little bit about your organization and your role there?
Ryan: Proofpoint is wholly focused from a cyber standpoint on protecting people and how they work and how they interact with their people, their staff, their clinicians, their systems. And what I mean by that is the cyber landscape has changed quite dramatically and people now are the target of almost all cyber attacks, and really the level of social engineering that we’re seeing from these bad actors means that they’re really focused on how do their targets communicate with their peers, how do they communicate with, in a healthcare context, with patients, how do they interact with their third party or business associates. And so that messaging platform is a big thrust of attack, how they interact with the cloud environment, the importance of cloud apps in running their overall systems or their networks or interacting with patient care or patients is becoming a big thrust of attacks.
Proofpoint is really trying to focus on all those tools and capabilities that safeguard and secure that environment to give the maximum amount of protection where, at least, today we see the real lion’s share of all that bad actor or cyber criminal activity.
As far as my role, I have this tunnel vision focus on healthcare. Proofpoint made a deliberate investment in trying to become more and more relevant to a small number of industry segments. This is about 5 years ago. This is a long journey for us, an important journey for us, and my role is to be like the internal and the external megaphone. So understand what the use cases are, understand how we can adapt our solutions and our partnerships and our capability and adjust our roadmap, so that we present the most optimal experience for healthcare industry customers.
Anthony: One of the biggest themes I’ve come across recently is third-party risk, highlighted by the Kronos outage. Do you think that served as a wake-up call?
Ryan: Gosh, I want to say yes but I feel like healthcare, in particular, has had a lot of wake up calls from a cyber perspective over the last 3, 4, 5 years. I mean, we’ve had multiple ransomware events that were wakeup calls. We had multiple phishing attacks that have been wakeup calls. We have multiple large scale PHI breaches that have been wakeup calls. We’ve had health systems that have gone down for the best part of the month and can’t provide patient care in any meaningful way. That was supposed to be a wakeup call.
I don’t want to appear to be overly cynical, but I think we have to recognize that cyber attacks are ever present in healthcare. Should we learn from this? Absolutely, we should learn from this. I think the exposure of the supply chain or third party risk or the vulnerability of your business associates is a – I won’t say it’s a new tactic – but it’s certainly been a tactic that has gained a lot of momentum because of these high profile events.
We should learn from that and we should capitalize on that, in terms of making sure that the institutions and hospital boards – those effect cyber strategy – are aware of them, but I find it hard to say it’s a wakeup call because that implies it’s going to be some seminal event or change, and I don’t necessarily see that happening unfortunately.
Anthony: We’ve talked before, and I get the sense you feel some frustration that there are things health systems should be doing in terms of cyber that you don’t see being done. Is that the case?
Ryan: I think that’s the case. I appreciate how difficult it is for health systems to do their job. It is the most noble industry, bar none, in my view. I have actively chosen to work in healthcare albeit from a vendor standpoint. I’m really appreciative of the work that they do. I don’t want to come across as overtly critical or cynical. However, we have to also recognize that there are other capabilities that are commonplace across other industries.
Let me give you this for instance. I recently had a credit card breach. How did I know about that? Because immediately, almost in real time, somebody was trying to use my credit card to make a purchase. How did I know? That credit card company contacted me on text and asked if I authorized the purchase. So they had the level of tools in place, they had the level of analytics in place, they had the level of automation in place that can detect, mitigate, remediate, almost in real time and there’s nothing particularly special about that because that capability has existed for a long time and probably everybody who is listening to this will probably be able to identify with a similar experience.
Healthcare doesn’t have those tools yet in place. And so that exact capability may not be what’s needed in healthcare but the attitude is what’s needed whenever we try to talk in terms of the willingness and the recognition that we have to make the investment in this resourcing and tools and layers of security to safeguard our environments. I think that’s what I’d like to see healthcare embrace more and more.
It’s one thing when the breach or the cyber event results in brand erosion. I mean, nobody wants that. No one wants financial loss of an industry that’s working on such razor-thin margins. No one wants to see the name on the wall of shame or whatever and the fines that ensue from all that. Those are obviously terrible events that you don’t want to be a part of. But when it really gets to the point where you can’t provide patient care because there wasn’t enough cyber defenses in place and people who are mid-chemo treatment or something like that get denied service or have to go somewhere else, I find that I do get a little bit frustrated about that, and I would like to see the industry be more overt in trying to make progress there.
Again, I don’t want to be overly critical, but I think it’s important that we recognize where we are and what we are and there’s a degree of “patient heal thyself,” I guess, if I want to use that phraseology.
Anthony: If we can use a football term, you want to see the basic blocking and tackling being done. Now, you know Erik Decker from Intermountain; I interviewed him recently and we talked about all the best practices resources that are available. He has worked on many of them. It sounds like you are seeing some of that stuff not being done.
Ryan: Absolutely. I think this is one of the things that’s really wonderful about healthcare because that work Erik Decker is doing with Health & Human Services and the 405d team and, I think, the cybersecurity preparedness documentation which is very comprehensive and really strong… you could walk into healthcare or walk into cybersecurity not knowing a whole lot about how to build out a security framework and there’s this amazing playbook there for you.
The work has been done to show you how to block and tackle, if you want to continue that analogy, but at some point we have to start actually executing on the mission. There are a number of surveys that have come out that show the level of capabilities which have been installed or implemented in healthcare and it’s shocking. You see that things that are just basic – multi-factor authentication or encryption, I won’t go down the whole list – but the adoption rate is sometimes in sub 15%. You’re just like, wait a minute.
Anthony: I hear different opinions on this, but are healthcare CISOs getting the budget they need?
Ryan: It’s anecdotal but it feels like those institutions who have richness of budget have an IT team or a CISO who do a really, really good job of articulating the importance of the cybersecurity mission as it connects to the overall hospital mission. They can make a direct connection to hospital’s mission around patient care, patient safety. They communicate that: you’re delivering patient care, patient safety, and you need to have that robust cybersecurity foundation because if you don’t, you’re extremely vulnerable to falling down on that mission.
I think too frequently, however, there’s this connection of security around compliance. I think one of the real adverse byproducts of Meaningful Use was that it relegated security into almost like a compliance angle. All that investment that was made back then, it was around checking off the boxes and making sure that you were compliant with regulations, but I think we all knew at the time, and we certainly all know now, that compliance and security are completely different. Yes, you’re compliant but your systems are porous. I think in some institutions there’s been a hangover and tough time to shake off that notion.
Anthony: Yeah, I think when they did Meaningful Use they forgot security and interoperability. (laughing)
Ryan: I think they forgot that one too. (laughing)
Anthony: They couldn’t do it all, I guess, but those were two pretty big holes.
Anthony: What’s considered blocking and tackling is expanding, as the implications of an outage get larger. I suspect IT security leaders have not really practiced going to paper and back again, and worked with clinical and operational leaders on that.
Ryan: I think that’s really important; to work with the clinicians on this, but it’s also true that there are only so many things you can ask them to do; and so maybe you should be asking them to have a willingness to change some of the workflows so that they can embrace some technology in the process that will provide better safeguards so maybe you never have to get to the point where you roll out the (transition to paper and back) game plan.
I think it’s one of those tradeoffs about where do you put your investment and time, maybe a little bit of money too. But really your investment on time because I think that seems to be the big challenge with that community is they’re obviously very focused on patient care and that tunnel vision focus on a patient, they don’t really want to spend too much time on these back office initiatives.
Anthony: There’s a couple of things here. There’s education, which is something we talk about a lot, creating security culture – you’ll never be successful in security if you don’t get your users to care about security. You’re talking about maybe continuing to educate clinicians about the importance of security but it sounds like you’re also talking about getting them to give a little bit in terms of changes to workflow, perhaps things taking an extra second or so because it’s going to give so much upside in security?
Ryan: Let me give you a real life for instance. There is capability called isolation technology. Isolation technology essentially allows a user to interact with all the tools and messaging platforms in cloud apps that they would want to interact with but is done in such a way that you spin up that engagement in a container.
There is a safeguard in place for that clinician, for any data that that clinician’s looking at, for the institution; so there is no seepage in or out, in terms of data that shouldn’t exfiltrate or seepage of malware or other forms of attack that shouldn’t get in the network. Isolation technology is really popular if you have a lot of third party consultants in your organization, it’s a really strong safeguard.
Anthony: So you see isolation technology as a strong solution or tool? Where, besides with the consultants you mentioned, do you see it being used?
Ryan: Absolutely. We seek isolation technology being deployed in a couple of areas. One is what we call the happy clickers. Those who click on everything and maybe haven’t really embraced the training or absorbed the training where they should. Two, people who just work in a vulnerable way. I mean, just by the nature of their job, they have to download a lot of third-party forms, files, interactive third-party apps. They are not doing anything wrong, it’s just the nature of their jobs.
Let’s say if you’re HR and your job is to go onboard or recruit new applicants. You have got to take on résumés and applications and all that, you’re working in a more vulnerable way. You might put that person on isolation. You might put somebody under isolation who, if not working in a vulnerable way, has access to a lot of very valuable information, maybe somebody in your IT teams who has all the passwords. If they are compromised, that would be really, really damaging.
Yes, absolutely, isolation would be applicable for an internal employee and for a consultant or a third-party worker too.
Anthony: Do you think this is going to happen with clinicians; in terms of working in an isolation container?
Ryan: We do see it. We absolutely do see a strong trend, particularly since the large ransomware events in that last year or so – where you’ve seen a strong uptick in interest in isolation technology.
Anthony: To what degree do you think CISOs in health systems are looking at this and considering rolling it out? Is this widespread or you think this is not quite something they’re really engaging with yet? Is it because it will require some minor adjustments, as you mentioned?
Ryan: I think all those things.
I think back to maybe your observation, a few minutes ago. This is one of those things where I think they see the value in it. I think it has a priority in terms of their investment stack. I don’t think there’s a money issue on it, per se, but it’s a prioritization sequence – when do I deploy this tech capability versus other ones that I’m looking at as well. I think that’s more of the reason we see a little bit of slowness in adoption.
Anthony: But you would encourage them to take a look at this?
Ryan: I would absolutely encourage them to take a look at isolation technology. It’s a capability that works. It has been around for a while now, so you can definitely deploy it with confidence.
Anthony: I’ve got a few more questions here. I’m going to let you pick because we could spend all day on the call but I want to see what direction you want to go in. A few things that I was going to talk to you about were cyber insurance issues; the CISO role and reporting structures; and the workforce shortage. What do you feel like addressing?
Ryan: Gosh, they’re all good areas to talk about. Let’s just go from the top, cyber insurance.
The Proofpoint healthcare customer advisory board told us that when you have to go renew your insurance, the things you need to have in place have grown exponentially, it’s 4, 5, 6 times the level of information they want to take on board to look at. They also want to define what is an insurable event. When it gets around to ransomware, it’s even more pronounced. We have heard several organizations talking very seriously about this whole notion of just becoming self insured. They can’t do away with it totally but the level of time and resource of investment means they are saying maybe we should just think more about making that investment capability in resources and people and team and processes.
They do all cite that one of the real byproducts or silver linings for the cyber insurance changes is that the CISO can use these requirements to support their requests. They can say, “See, this is a third party now essentially saying what I’ve been telling you for a long time.”
Anthony: Cyber insurance is one way of mitigating risk. We’re hearing the CISO being called the Chief Risk Officer. They identify the risk and tell the business about it, and about ways it can be mitigated.
Ryan: This gets us on to one of your other questions – the growing importance of the CISO role, right. I think you hit the nail on the head, I mean they are becoming the chief risk officer. I don’t see that job title yet but I wouldn’t be surprised if we do have that job title going forward.
I wouldn’t be surprised as a result if you see the CISO, at some stage, move out of IT to under the CEO or maybe under the CFO or the COO because being able to go understand and measure the risks associated with a cyber event and articulating that risk back to the health institution – really to those and to the highest level, those decision makers and stakeholders who can then therefore go affect strategy – is critical.
I think that seems to be a trend line of how the CISO role is adapting and morphing and becoming far more strategic in a way that we just couldn’t see a couple of years ago. I think more and more, it’s really, really being equated to a risk conversation. It’s acknowledgement that we can’t solve for all of it, but we can certainly do a lot better to mitigate our risks; and so how do we assess that risk, how do we understand the value attached to certain percentage changes, up or down in risks, and then what’s the tolerance level for that and, if we don’t have the right tolerance level, how do we put the mechanisms in place to mitigate the best we can against that.
Anthony: Let’s touch on the workforce shortage. I’m sure it’s hit IT security, but on the upside of things, remote work is allowing health systems to hire nationally.
Ryan: I mean, we do not have a conversation with a customer in healthcare or even outside of healthcare where it’s not a regular ask to provide staff augmentation. It’s very clear that everybody is suffering from this challenge. I think this challenge gets resolved in multiple different ways.
There are going to be staff augmentation solutions in places, like what Proofpoint is putting in place in terms of that ability to go provide a managed services capability, not only for our capability, not only for our solutions, but solutions that are beyond Proofpoint.
But also I think there will be a broader consolidation of technologies and vendors so you have fewer things to manage and a it’s little bit easier. I think you’ll see a situation where not only do they consolidate but they will embrace this outsourced model and really will try to find solutions to have as much automation in place as possible.
The more you can automate some of this discovery, some of this analysis, the better it will be. For example, Proofpoint has this ability to go tell you which job function and what departments are much more vulnerable because of a whole number of attributes. Well, the more we can try to automate through machine learning and try to make that as a deliverable to somebody who can make the assessment, the better.
I think those capabilities – in addition to staff augmentation and in addition to vendor consolidation – are three strategies you’re going to see accelerate in terms of how do people, at least in the short term, deal with staff shortages.
Anthony: Any final advice for our audience?
Ryan: We’re in the big conference season for HIMSS and other large events where we talk about all these topics. I will say from a cyber standpoint, stay focused on where the attacks are occurring. Today, people are being attacked and they are largely being attacked on email. That is the path that is still most favored.
I mean, obtaining credentials is the nirvana state for a bad actor. As Erik Decker or others might say – I don’t want to put words in their mouths – but if you’re tackling a ransomware event, the likelihood is there was a breach into your network a number of weeks previously, and they’ve been using that time to do reconnaissance and trying to figure out what’s really going on.
Of course, we have network vulnerability – networks can be vulnerable and medical devices can be vulnerable and we have to think about the totality of the security environment. But the data is very, very clear. Attacks are occurring by email using social engineering, that’s the most favored tactic. It’s not about zero days, it’s not about looking for network patch vulnerability – those happen. So focus where you’re being attacked, particularly in a situation now where you have to go make these tradeoffs.
For a long time now, it’s been around credentials being the nirvana breach state. If I had to place all my resources, or the majority of my resources, I would do my best to make sure that I’m ultra secure, or secure as possible, in that area.
And finally I want to go back to that container of agents, of that theme. You don’t need container agents across the workforce but there’s probably, I don’t know, 10% that need it because of the way they work and because most of them are being attacked.
Anthony: All right. Ryan, wonderful stuff. I appreciate your time today and it’s always good to talk to you.
Ryan: Thank you. I really appreciate it. See you soon.